Certified Information Systems Security Professional (cissp) Domain “access control”
3 likes3,651 views
The document discusses access control, which is the first domain of the CISSP certification. It defines CISSP and provides an overview of the 10 domains. It then discusses definitions of access control, different types of attacks, and methodologies for access control including administrative, technical, and physical controls. Identification and authentication methods are also explained such as passwords, biometrics, and single sign-on. The document concludes by reiterating the goal of access control is to protect resources from unauthorized access.
Certified Information Systems Security Professional (cissp) Domain “access control”
- 1. Certified Information Systems Security Professional (cissp) Report paper Domain “access control” Supervised by instructor dogus sarica prepared by zaid dawad al-rustom (20112465)
- 2. Certified Information Systems Security Professional (cissp) Domain “access control” Definitions First thing I will present some definitions about Certified Information Systems Security Professional (cissp), Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium also known as (ISC) ². As of November 2012, (ISC)² reports 84,596 members hold the CISSP certification worldwide, in143countries. InJune2004, theCISSPhasobtainedaccreditationby ANSI ISO/IECStandard17024:2003 accreditatio n. It is also formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoDD 8570 certification requirement. The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program. My definition it is an international certificate depends on it to secure the data in computers, made by a specialist computer security programmer group to provide a standard security certificate, the main advantage from this is to put many computer security laws and ethical rules prevent us against internet information crimes. The 10 Domains: 1. Security Management Practices 2. Access Control Systems & Methodology 3. Law, Investigations, Ethics 4. Physical Security 5. Business Continuity & Disaster Recovery Planning 6. Security Architecture & Models 7. Cryptography 8. Telecommunications & Network Security 9. Applications & Systems Development 10. Operations Security.
- 3. Access control "The first line of defense" Some attacks let's look at some of the different attacks on passwords there simply is called the dictionary attack brute force attacked or a combination would call a hybrid attack first of all the dictionary type what is a dictionary attack ,first of all password is not a password and clear text in the file on your computer it's a hash of the password so dictionary attacked basically takes every word in the dictionary creates ahead and then compares the hash with the file on the computer and I think it's a match that it looks back at the word it used to create that action and password a brute force attacked as just that if tries all possible combinations in order to get your hash or create your password, This type force attacked well always succeed online it literally prize all of those trust every possible combination where some of the things that you can do to mitigate those attacks well, first of all the obvious one is don't send your passwords clear text, or don't use common words dictionary words. There are some tools out there Satan being one of them that you can use to look at that password checkers, to see how secure they are identifies those that are weak and then simply change those. Access control administration The organization has to decide access control model they're going to implement where there is going to be DAC or MAC whatever they can be used expect to find that in the security policy then the technologies and techniques that are going to support that model need to be identified and they need to be put in place the standards need to be developed policies they develop the procedures need to be developed and put in place and then the next question they have to answer is how are we going to manages? are we going to any centrally one central location is going to handle everything that might work for small organization but when you get into a large
- 4. organization particularly multinational or international or even across many country, a centralized approach may not be the best solution for you and you may want to decentralize you may only want to decentralize a portion of that to someone that would refer to as the hybrid approach were let's say you centrally manage the network with them for local printers for local file shares you centralize that at that particular location so much use a hybrid approach for the management of that par for the administration of that when we talk about the centralized access control we have one into the wanted location that is making the decision with regarding access senior management has to decide that has to be defined in the security policy data owner makes the ultimate decision in senior management besides what they're going to have in place in order to support that are they going to use something like radiance or attack exploits or the new version of a radius diameter as their centralized access control the words you've got one location that location is controlling access for everybody . Centralized access control I will give an example to discuss centralized access control It is a handshaking protocol that allows that radius server to provide the authentication authorization information to the networks server and radius client we dialing we access that radius server directly certain server will contain a database of users and credentials, that radius server may have be configured to give you access to another leader a lightweight directory access protocol server that has the credentials on it for example radius server could be configured to access active directory and windows and provide that database abusers and credentials and then there needs to be communication between the radius client and the server in that communication needs to be protected , the user initiates that point-to-point protocol authentication with the provider the radius client than prompts the user for their credentials user types and the user id password , than checks those credentials either locally in its own database or against the act let's say active directory to this and then says back here in accept or reject or it may send a challenge response back and if successful then radius will allow the client access to the network so you can get there on the network and do whatever you want to.
- 5. Access control methodologies Administrative: Group membership Time of day Transaction type The methodologies for access control administrative technical and physical with administrative the group membership or group remember off what time of day or transaction type so from an administrative methodology we can restrict access to data based on time today payroll files are not accessed Sunday morning at 3:00am time of day or transaction type you're not allowed to do a transaction type equipment to do leading the database table administrative access control methodologies. Technical access control Directory service Network architecture Network access Encryption Auditing Directory service The technical layer of access control what are the techno classics access controls we've already mentioned directory service but the way that you architect the network also can be an access control and that's technical? the network access as a technical control as his encryption and let me point out one thing auditing is a technical access control audit logs our technical controls because that tracks activity of the users and systems it’s not preventative it can't prevent someone from accessing but it helps an administrator system administrator understand how the access to a place so in the future they can make changes, for directory services there are different types all of the x.500, LDAP, network directory services, and active directory all of those four different types of directory services and all of those are technical controls which directory services I saw published there except
- 6. x.500 which is the lightweight directory access protocol which basically adapts the directory to work over TCPIP. Network architecture Where you place firewalls for example you may have an internal network with in your trusted network let's say that that's just for the top secret data and you put up our wall in front of that top secret data portion of your network to block it so basically what you're doing is you're architecting network to control access you put a DMZ place you put your bastion host servers that you've removed all the extra services imports from in a DMZ the firewall front of the DMZ you put the firewall after the DMZ how you architect the network is going to control? Who has access? And who can get here? Physical layer Network segregation Perimeter security Computer controls Work area separation cabling Access control of the physical controls network segregation, perimeter security, computer controls, work area separation, and cable. network segregationist just that you can physically separate the network you can logically separate the network physically separated so that the wiring one set a routers one set of switches physically separated from other parts of the network are logically with virtual LAN’s with primary security you've got those that locks on the doors man perhaps to get into the building guards all of those are physical security controls. Computer controls like a lock on your laptop so you lock it to your desk so people can't walk off on with it for those of you better under the requirement that you can't use the USB ports a physically removing them from the device or putting a proxy into that so you can’t put the USB device into that slot because the slots been filled up with the proxy those are all types of computer controls and then were curious separation I have one client the state agency
- 7. who has direct connection with a federal agency they're both in the same physical building on the same floor but you have to go through the state agency to get to the back of the room to another private door that only the federal employees are allowed to go through and they have their own internal men trapped in order to get into the federal area to me that's work area separation and then cabling actually keeping the cables separate. Those are all types of physical layer or physical controls networks. Identification and Authentication Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time. Authentication is based on the following three factor types: 1. Something you know, such as a PIN or password 2. Something you have, such as an ATM card or smart card 3. Something you are (physically), such as a fingerprint or retina scan Passwords Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. This “one-time password” provides maximum security because a new password is required for each new log-on. A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. A passphrase is a sequence of characters that is usually longer than the allotted number for a password. The passphrase is converted into a virtual password by the system.
- 8. Biometrics An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism something you are. Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images. Authentication in biometrics is a “one to- one” search to verify a claim to an identity made by a person. Biometrics is used for identification in physical controls and for authentication in logical controls. The following are typical biometric characteristics that are used to uniquely authenticate an individual’s identity: Fingerprints Retina scans Iris scans Facial scans Palm scans Hand geometry Voice Handwritten signature dynamics Single Sign-On (SSO) Single Sign-On (SSO) addresses the cumbersome situation of logging on multiple times to access different resources. A user must remember numerous passwords and IDs and may take shortcuts in creating passwords that may be open to exploitation. In SSO, a user provides one ID and password per work session and is automatically logged-on to all the required applications. For SSO security, the passwords should not be stored or transmitted in the clear. SSO applications can run either on a user’s workstation or on authentication servers. The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources. The major disadvantage of many SSO implementations
- 9. is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions. Conclusion We talked about that you could have physical or you can have logical of virtual land let's say for top secret of virtual for secret and in a virtual for public information or for unclassified data. I am going to conclude this subject on access control, we've talked about access control as being the first line of defense we've talked about how people access data and the resources that go along to make that happen the main goal is to protect resource from unauthorized access. the models discretionary access control mandatory access control role based access control and rule based access control and then whether you want to manage access control either centrally or decentralized or whether you want to use a hybrid approach we talked about the fact that controls can be administrative physical or technical controls and that regardless of whether they're administrative physical or technical those controls can give you preventative detective and recovery services I hope you've enjoyed this article about access control and I look forward to seeing you again hoca for next semester and excuse me for my English language errors Reference: 1. http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Pro fessional 2. http://www.ntgtraining.com/courses/courses_cissp_cbk_10.html 3. The CISSP Prep Guide—Mastering the Ten Domains of Computer Security Ronald L. Krutz Russell Dean Vines Wiley Computer Publishing John Wiley & Sons, Inc.